16.0+: Relaxed fix for DNS leaks with app based VPNs from GrapheneOS

Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-07-31 20:40:22 -04:00
parent 5fb3319508
commit 72ff1b1a4d
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
17 changed files with 368 additions and 0 deletions

View File

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Thu, 9 May 2024 23:02:17 +0300
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
---
server/NetworkController.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index ecb4ceed..0229ffb8 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -191,8 +191,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDns(unsigned* netId, uid_t uid) const {
android::RWLock::AutoRLock lock(mRWLock);
Fwmark fwmark;
- fwmark.protectedFromVpn = true;
- fwmark.permission = PERMISSION_SYSTEM;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.permission = getPermissionForUserLocked(uid);
if (checkUserNetworkAccessLocked(uid, *netId) == 0) {
// If a non-zero NetId was explicitly specified, and the user has permission for that
// network, use that network's DNS servers. Do not fall through to the default network even

View File

@ -0,0 +1,42 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Wed, 31 Jul 2024 02:44:05 -0400
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
This avoids attempting to fix the leaks for VPN apps causing leaks
through not configuring DNS. This can be reliably fixed from the VPN
app's side.
---
server/NetworkController.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index e2467709..fbf136ce 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -192,7 +192,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
Fwmark fwmark;
- fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.protectedFromVpn = true;
fwmark.permission = getPermissionForUserLocked(uid);
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
@@ -204,6 +204,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
*netId = mDefaultNetId;
fwmark.netId = *netId;
fwmark.explicitlySelected = true;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
return fwmark.intValue;
}
@@ -221,6 +222,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
if (network && network->getType() == Network::VIRTUAL &&
!static_cast<VirtualNetwork *>(network)->getHasDns()) {
*netId = mDefaultNetId;
+ } else {
+ fwmark.protectedFromVpn = canProtectLocked(uid);
}
} else {
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers

View File

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Thu, 9 May 2024 23:02:17 +0300
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
---
server/NetworkController.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 20ae44b2..93ccf202 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -204,8 +204,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
Fwmark fwmark;
- fwmark.protectedFromVpn = true;
- fwmark.permission = PERMISSION_SYSTEM;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.permission = getPermissionForUserLocked(uid);
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
// Therefore, it is safe to set the explicit bit on this query and skip all the complex logic

View File

@ -0,0 +1,42 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Wed, 31 Jul 2024 02:44:05 -0400
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
This avoids attempting to fix the leaks for VPN apps causing leaks
through not configuring DNS. This can be reliably fixed from the VPN
app's side.
---
server/NetworkController.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 13921e92..4c424dc0 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -189,7 +189,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
Fwmark fwmark;
- fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.protectedFromVpn = true;
fwmark.permission = getPermissionForUserLocked(uid);
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
@@ -201,6 +201,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
*netId = mDefaultNetId;
fwmark.netId = *netId;
fwmark.explicitlySelected = true;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
return fwmark.intValue;
}
@@ -217,6 +218,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
if (network && network->getType() == Network::VIRTUAL &&
!RESOLV_STUB.resolv_has_nameservers(*netId)) {
*netId = mDefaultNetId;
+ } else {
+ fwmark.protectedFromVpn = canProtectLocked(uid);
}
} else {
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers

View File

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Thu, 9 May 2024 23:02:17 +0300
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
---
server/NetworkController.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 20ae44b2..93ccf202 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -204,8 +204,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
Fwmark fwmark;
- fwmark.protectedFromVpn = true;
- fwmark.permission = PERMISSION_SYSTEM;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.permission = getPermissionForUserLocked(uid);
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
// Therefore, it is safe to set the explicit bit on this query and skip all the complex logic

View File

@ -0,0 +1,42 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Wed, 31 Jul 2024 02:44:05 -0400
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
This avoids attempting to fix the leaks for VPN apps causing leaks
through not configuring DNS. This can be reliably fixed from the VPN
app's side.
---
server/NetworkController.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 93ccf202..c7a8a132 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -204,7 +204,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
Fwmark fwmark;
- fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.protectedFromVpn = true;
fwmark.permission = getPermissionForUserLocked(uid);
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
@@ -216,6 +216,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
*netId = mDefaultNetId;
fwmark.netId = *netId;
fwmark.explicitlySelected = true;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
return fwmark.intValue;
}
@@ -231,6 +232,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
Network *network = getNetworkLocked(*netId);
if (network && network->getType() == Network::VIRTUAL && !resolv_has_nameservers(*netId)) {
*netId = mDefaultNetId;
+ } else {
+ fwmark.protectedFromVpn = canProtectLocked(uid);
}
} else {
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers

View File

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Thu, 9 May 2024 23:02:17 +0300
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
---
server/NetworkController.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 20ae44b2..93ccf202 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -204,8 +204,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
Fwmark fwmark;
- fwmark.protectedFromVpn = true;
- fwmark.permission = PERMISSION_SYSTEM;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.permission = getPermissionForUserLocked(uid);
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
// Therefore, it is safe to set the explicit bit on this query and skip all the complex logic

View File

@ -0,0 +1,42 @@
From a1e9fbcf977b0c8598c618aa3677913b19407cda Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Wed, 31 Jul 2024 02:44:05 -0400
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
This avoids attempting to fix the leaks for VPN apps causing leaks
through not configuring DNS. This can be reliably fixed from the VPN
app's side.
---
server/NetworkController.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index a45d8556a..be4f7c19d 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -209,7 +209,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
Fwmark fwmark;
- fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.protectedFromVpn = true;
fwmark.permission = getPermissionForUserLocked(uid);
Network* appDefaultNetwork = getPhysicalOrUnreachableNetworkForUserLocked(uid);
@@ -224,6 +224,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
*netId = defaultNetId;
fwmark.netId = *netId;
fwmark.explicitlySelected = true;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
return fwmark.intValue;
}
@@ -239,6 +240,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
Network *network = getNetworkLocked(*netId);
if (network && network->isVirtual() && !resolv_has_nameservers(*netId)) {
*netId = defaultNetId;
+ } else {
+ fwmark.protectedFromVpn = canProtectLocked(uid);
}
} else {
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers

View File

@ -0,0 +1,24 @@
From ab1a83dc36e17c4ec61def8cc7386f908e054add Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Thu, 9 May 2024 23:02:17 +0300
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
---
server/NetworkController.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 0b0e061a8..a45d8556a 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -209,8 +209,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
Fwmark fwmark;
- fwmark.protectedFromVpn = true;
- fwmark.permission = PERMISSION_SYSTEM;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.permission = getPermissionForUserLocked(uid);
Network* appDefaultNetwork = getPhysicalOrUnreachableNetworkForUserLocked(uid);
unsigned defaultNetId = appDefaultNetwork ? appDefaultNetwork->getNetId() : mDefaultNetId;

View File

@ -0,0 +1,42 @@
From a1e9fbcf977b0c8598c618aa3677913b19407cda Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Wed, 31 Jul 2024 02:44:05 -0400
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
This avoids attempting to fix the leaks for VPN apps causing leaks
through not configuring DNS. This can be reliably fixed from the VPN
app's side.
---
server/NetworkController.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index a45d8556a..be4f7c19d 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -209,7 +209,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
Fwmark fwmark;
- fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.protectedFromVpn = true;
fwmark.permission = getPermissionForUserLocked(uid);
Network* appDefaultNetwork = getPhysicalOrUnreachableNetworkForUserLocked(uid);
@@ -224,6 +224,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
*netId = defaultNetId;
fwmark.netId = *netId;
fwmark.explicitlySelected = true;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
return fwmark.intValue;
}
@@ -239,6 +240,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
Network *network = getNetworkLocked(*netId);
if (network && network->isVirtual() && !resolv_has_nameservers(*netId)) {
*netId = defaultNetId;
+ } else {
+ fwmark.protectedFromVpn = canProtectLocked(uid);
}
} else {
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers

View File

@ -0,0 +1,24 @@
From ab1a83dc36e17c4ec61def8cc7386f908e054add Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Thu, 9 May 2024 23:02:17 +0300
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
---
server/NetworkController.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 0b0e061a8..a45d8556a 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -209,8 +209,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
Fwmark fwmark;
- fwmark.protectedFromVpn = true;
- fwmark.permission = PERMISSION_SYSTEM;
+ fwmark.protectedFromVpn = canProtectLocked(uid);
+ fwmark.permission = getPermissionForUserLocked(uid);
Network* appDefaultNetwork = getPhysicalOrUnreachableNetworkForUserLocked(uid);
unsigned defaultNetId = appDefaultNetwork ? appDefaultNetwork->getNetId() : mDefaultNetId;

View File

@ -558,6 +558,7 @@ fi;
if enterAndClear "system/netd"; then
applyPatch "$DOS_PATCHES/android_system_netd/377024-backport.patch"; #R_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run #XXX
#applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS) #XXX can break apps without relaxed variant backport
fi;
if enterAndClear "system/nfc"; then

View File

@ -686,6 +686,8 @@ fi;
if enterAndClear "system/netd"; then
applyPatch "$DOS_PATCHES/android_system_netd/378480.patch"; #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks-relaxed.patch"; #Relax VPN DNS leak prevention for incompatible apps (GrapheneOS)
fi;
if enterAndClear "system/nfc"; then

View File

@ -661,6 +661,8 @@ applyPatch "$DOS_PATCHES/android_system_netd/376607.patch"; #Q_asb_2023-11 Fix u
applyPatch "$DOS_PATCHES/android_system_netd/378074.patch"; #Q_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_netd/0002-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS)
applyPatch "$DOS_PATCHES/android_system_netd/0003-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_netd/0003-Fix_DNS_leaks-relaxed.patch"; #Relax VPN DNS leak prevention for incompatible apps (GrapheneOS)
fi;
if enterAndClear "system/nfc"; then

View File

@ -453,6 +453,8 @@ fi;
if enterAndClear "system/netd"; then
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_netd/0002-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_netd/0002-Fix_DNS_leaks-relaxed.patch"; #Relax VPN DNS leak prevention for incompatible apps (GrapheneOS)
fi;
if enterAndClear "system/sepolicy"; then

View File

@ -409,6 +409,8 @@ fi;
if enterAndClear "system/netd"; then
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_netd/0002-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_netd/0002-Fix_DNS_leaks-relaxed.patch"; #Relax VPN DNS leak prevention for incompatible apps (GrapheneOS)
fi;
if enterAndClear "system/sepolicy"; then

View File

@ -410,6 +410,11 @@ if enterAndClear "system/extras"; then
applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
fi;
if enterAndClear "system/netd"; then
applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks.patch"; #Fix DNS leak in VPN lockdown mode when VPN is down (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_netd/0001-Fix_DNS_leaks-relaxed.patch"; #Relax VPN DNS leak prevention for incompatible apps (GrapheneOS)
fi;
if enterAndClear "system/sepolicy"; then
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #Label protected_{fifos,regular} as proc_security (GrapheneOS)
applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)